Crooks have found a new venue to push malware: the official Google Chrome Web Store. It was recently used to hawk Chrome browser extensions secretly hijacking users’ Facebook profiles.

According to Kaspersky Lab expert Fabio Assolini, one malicious extension hosted on Google’s own servers contained hidden code that “can gain complete control” of the user’s Facebook profile. The extension then used that access to spread malicious messages and register Facebook Likes for certain items, also inviting fellow users to install it. The same operators advertised a service that delivered Likes of companies looking to promote their profiles. It costs about $27 per 1,000 Likes.

The company distributing this malicious extension was unnamed in the report as was the specific app. Assolini said Google personnel removed the malicious extension shortly after Kaspersky reported it to them. “But we noted the bad guys behind this malicious scheme are uploading new extensions regularly, in a cat and mouse game,” he warned. He didn’t elaborate on the number of extensions or how long he’s been observing them other than to say the malicious app Kaspersky discovered had 932 users.

Over the past few years, the openness of Google’s Android Market has represented one of the more conspicuous ways its users are attacked. As the software equivalent of a Wikipedia-like bazaar to which anyone may contribute, it has repeatedly been seeded with applications that take liberties with end users’ phones and data. Kaspersky’s report suggests similar attacks are exploiting Google’s Chrome Web Store.

“It is against the Chrome Web Store Content Policies to distribute malware,” a Google spokesman wrote in an email. “When we detect items containing malware or learn of them through reports, we remove them from the Chrome Web Store and from active Chrome instances. We’ve already removed several of these extensions, and we are improving our automated systems to help detect them even faster.”

Crooks have found a new venue to push malware: the official Google Chrome Web Store. It was recently used to hawk Chrome browser extensions secretly hijacking users’ Facebook profiles.

According to Kaspersky Lab expert Fabio Assolini, one malicious extension hosted on Google’s own servers contained hidden code that “can gain complete control” of the user’s Facebook profile. The extension then used that access to spread malicious messages and register Facebook Likes for certain items, also inviting fellow users to install it. The same operators advertised a service that delivered Likes of companies looking to promote their profiles. It costs about $27 per 1,000 Likes.

The company distributing this malicious extension was unnamed in the report as was the specific app. Assolini said Google personnel removed the malicious extension shortly after Kaspersky reported it to them. “But we noted the bad guys behind this malicious scheme are uploading new extensions regularly, in a cat and mouse game,” he warned. He didn’t elaborate on the number of extensions or how long he’s been observing them other than to say the malicious app Kaspersky discovered had 932 users.

Over the past few years, the openness of Google’s Android Market has represented one of the more conspicuous ways its users are attacked. As the software equivalent of a Wikipedia-like bazaar to which anyone may contribute, it has repeatedly been seeded with applications that take liberties with end users’ phones and data. Kaspersky’s report suggests similar attacks are exploiting Google’s Chrome Web Store.

“It is against the Chrome Web Store Content Policies to distribute malware,” a Google spokesman wrote in an email. “When we detect items containing malware or learn of them through reports, we remove them from the Chrome Web Store and from active Chrome instances. We’ve already removed several of these extensions, and we are improving our automated systems to help detect them even faster.”

Kaspersky Lab has found malware-laden Chrome extensions, along with a criminal gang playing cat and mouse with Google by releasing several variations of its wares.

The attacks manifest as suggestions to download Facebook apps. Those apps are, alas, not real. Instead they are malware and, in one case, a malware-laden Chrome extension hosted in Google’s very own Chrome Web Store.

The malware pretends to be a Flash Player installer but instead downloads a Trojan which writes messages to a victim’s Facebook profile and automatically Likes certain pages.

The former activity contains an alluring message suggesting your Friends download the same malware. The auto-Liking behaviour is part of a pay-per-Like scheme that helps the criminals to cash in.

Variations on this attack have been around for a few weeks now, Kaspersky says, but is so far largely confined to Brazil and other Portuguese-speaking nations.

Google is pulling the malware as fast as the criminals can sneak new variants into the Chrome Web Store.

Google has patched nine vulnerabilities in Chrome in the sixth security update to Chrome 17, the edition that launched on February 8.

The update was the first since the Chrome security team issued a pair of quick fixes during the “Pwnium” hacking event held earlier this month at the CanSecWest security conference.

Six of the nine bugs patched were rated “high,” the second-most dire ranking in Google’s threat system. One was marked “medium,” and the remaining two were labeled “low.”

Google paid $5,500 in bounties to four researchers for reporting five bugs. The four other vulnerabilities were uncovered by members of Google’s own security team or were too minor to be eligible for a bonus.

Cross-origin violation

Three of the four researchers who reported flaws fixed in Chrome 17 have been recently recognised by Google.

Sergey Glazunov, who received a $2,000 bounty for submitting a bug described by Google as “cross-origin violation with ‘magic iframe’,” was one of two $60,000 prize winners at Pwnium earlier this month.

Glazunov was the first to claim cash at Pwnium, the Chrome-only hacking challenge that Google created after it withdrew from the long-running Pwn2Own contest over objections about the latter’s exploit reporting practices.

Two others, Arthur Gerkis and a researcher known as “miaubiz”, received $1,000 and $2,000, respectively, for bugs that Google patched.

Gerkis and miaubiz were two of the three outside bug hunters who were given special $10,000 bonuses three weeks ago for what Google called “sustained, extraordinary” contributions to its vulnerability reporting programme.

Sandbox escape

So far this year, Google has paid nearly $200,000 to outside researchers through its bug bounty and Pwnium programs.

Google will not be patching a Chrome bug revealed in “Pwn2Own,” the other hacking contest that ran at CanSecWest.

At Pwn2Own, a team from the French security firm Vupen exploited Chrome by using a one-two punch of a bug in Flash Player – which Google bundles with its browser – and a Chrome “sandbox escape” vulnerability.

Because Pwn2Own sponsor HP TippingPoint’s Zero Day Initiative (ZDI) bug bounty programme does not require researchers to disclose sandbox escape vulnerabilities, Google was not told how the Vupen team hacked Chrome.

The update to Chrome 17 can be downloaded for Windows, Mac OS X and Linux from Google’s website. Users running the browser will receive the new version automatically through its silent, in-the-background update service.

Google has updated its Chrome browser, fixing an issue that was first uncovered at its Pwnium browser hacking contest. A Russian security researcher won $60,000 for demonstrating his exploit at the hackathon solely focused on Chrome hacks.

Chrome is viewed as one of the most secure web browsers by the security community, primarily because of its sandboxed architecture, which restricts how it interacts with the OS and significantly limits what attackers can do if they exploit a vulnerability. A panel of security experts from Accuvant and Coverity, who analysed the defensive capabilities of modern browsers in depth, said last week at the RSA security conference that Chrome’s sandbox prevents processes from doing much of anything on the system.

However, there is a consensus in the security community that while sandboxing is a strong anti-exploitation mechanism, it does not provide a perfect defence and a determined attacker can theoretically defeat it, although with a lot of work.

For this year’s CanSecWest conference, Google decided to run a contest called Pwnium in parallel with TippingPoint’s well known Pwn2Own contest, which rewards security researchers for finding and exploiting unpatched remote code execution (RCE) vulnerabilities in browsers.

Pwnium has a maximum prize pool of $1 million (£600,000) and rewards various types of Chrome exploits. The largest prize is $60,000 and is awarded to researchers who demonstrate persistent RCE exploits that target only vulnerabilities in Google Chrome’s code.

The first to earn this top reward was Sergey Glazunov, a regular Chrome bug hunter, who demonstrated an exploit that completely bypassed Chrome’s sandbox.

The exploit was validated by the Google Chrome team.

“Congrats to long time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry. Looks like it qualifies as a ‘Full Chrome’ exploit,” Sundar Pichai, Google’s senior vice president for Chrome, said via his Google+ account. “We’re working fast on a fix that we’ll push via auto-update.”

Other Chrome security engineers, like Justin Schuh or Chris Evans, expressed their excitement about the exploit via Twitter.

“What a great bug from Sergey. But still a whole ton of cash left, hoping for more entrants,” Evans said.

Glazunov, who has earned many rewards for finding Chrome vulnerabilities in the past, wasn’t at CanSecWest in person. Instead he submitted his Pwnium entry through independent security researcher Aaron Sigel.

During day one of the Pwn2Own contest, a team of researchers from French security firm VUPEN Security also managed to hack Chrome. However, Chrome’s security team suspects that the researchers’ exploit targeted a vulnerability in the Flash Player plug-in that comes with the browser by default.

If that’s true, VUPEN’s exploit would have only qualified for a Pwnium consolation prize of $20,000, had it been submitted to the contest. VUPEN didn’t confirm that their Pwn2Own Chrome exploit targeted a Flash Player vulnerability, which isn’t prohibited by the Pwn2Own contest rules.

It may be hard out there for a pimp, but it just got a little bit more lucrative for a hacker.

Google announced on Monday that it would pay $1 million in cash awards to anyone who can hack its Chrome browser during its Pwnium security challenge next week in Vancouver at the CanSecWest conference.

Google has pledged to pay multiple awards in the amounts of $60,000, $40,000 and $20,000, depending on the severity of the exploits, up to $1 million. Winners will also receive a Chromebook.

“We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely ’0-day,’ i.e. not known to us or previously shared with third parties,” Google wrote on its blog.

The exploits must work against Windows 7 machines running the Chrome browser.

$20,000 – “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.

Google’s hack challenge will run alongside the $15,000 Pwn2Own contest that runs each year at CanSecWest, which challenges researchers to exploit vulnerabilities in fully patched browsers and other software.

Last year, Google offered a $20,000 bounty, on top of the base $15,000 Pwn2Own prize, for anyone who successfully downed Chrome, but there were no takers. Chrome is currently the only browser eligible for the Pwn2Own contest that has never been brought down, Ars Technica notes. Contestants have indicated that difficulties bypassing Google’s security sandbox is the reason they’ve avoided the browser and focused on Internet Explorer and Safari.